[PRMP-892] Add Staging S3 Bucket as an Origin to the CloudFront Distribution (#527)

Signed-off-by: NogaNHS <[email protected]>
Co-authored-by: NogaNHS <[email protected]>

Author: steph-torres-nhs

infrastructure/buckets.tf

@@ -51,7 +51,7 @@ module "ndr-lloyd-george-store" {
   access_logs_enabled       = local.is_production
   access_logs_bucket_id     = local.access_logs_bucket_id
   cloudfront_enabled        = true
-  cloudfront_arn            = module.cloudfront-distribution-lg.cloudfront_arn
+  cloudfront_arn            = aws_cloudfront_distribution.s3_presign_mask.arn
   bucket_name               = var.lloyd_george_bucket_name
   enable_bucket_versioning  = true
   environment               = var.environment
@@ -122,6 +122,8 @@ module "ndr-bulk-staging-store" {
   bucket_name               = var.staging_store_bucket_name
   enable_cors_configuration = true
   enable_bucket_versioning  = true
+  cloudfront_arn            = aws_cloudfront_distribution.s3_presign_mask.arn
+  cloudfront_enabled        = true
   environment               = var.environment
   owner                     = var.owner
   force_destroy             = local.is_force_destroy
@@ -167,7 +169,7 @@ module "ndr-document-pending-review-store" {
   enable_bucket_versioning  = true
   force_destroy             = local.is_force_destroy
   cloudfront_enabled        = true
-  cloudfront_arn            = module.cloudfront-distribution-lg.cloudfront_arn
+  cloudfront_arn            = aws_cloudfront_distribution.s3_presign_mask.arn
   enable_cors_configuration = true
   cors_rules = [
     {

infrastructure/cloudfront.tf

@@ -1,3 +1,16 @@
+locals {
+  # required by USA-based CI pipeline runners to run smoke tests
+  allow_us_comms = !local.is_production
+}
+
+resource "aws_cloudfront_origin_access_control" "s3" {
+  name                              = "${terraform.workspace}_cloudfront_s3_oac_policy"
+  description                       = "CloudFront S3 OAC"
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "never"
+  signing_protocol                  = "sigv4"
+}
+
 module "cloudfront_firewall_waf_v2" {
   source         = "./modules/firewall_waf_v2"
   cloudfront_acl = true
@@ -8,16 +21,136 @@ module "cloudfront_firewall_waf_v2" {
   providers   = { aws = aws.us_east_1 }
 }
 
-module "cloudfront-distribution-lg" {
-  source                        = "./modules/cloudfront"
-  bucket_domain_name            = module.ndr-lloyd-george-store.bucket_regional_domain_name
-  bucket_id                     = module.ndr-lloyd-george-store.bucket_id
-  qualifed_arn                  = module.edge-presign-lambda.qualified_arn
-  depends_on                    = [module.edge-presign-lambda.qualified_arn, module.ndr-lloyd-george-store.bucket_id, module.ndr-lloyd-george-store.bucket_domain_name, module.ndr-document-pending-review-store.bucket_id, module.ndr-document-pending-review-store.bucket_domain_name]
-  web_acl_id                    = try(module.cloudfront_firewall_waf_v2[0].arn, "")
-  has_secondary_bucket          = local.is_production ? false : true
-  secondary_bucket_domain_name  = module.ndr-document-pending-review-store.bucket_regional_domain_name
-  secondary_bucket_id           = module.ndr-document-pending-review-store.bucket_id
-  secondary_bucket_path_pattern = "/review/*"
-  log_bucket_id                 = local.access_logs_bucket_id
-}
+resource "aws_cloudfront_distribution" "s3_presign_mask" {
+  price_class = "PriceClass_100"
+
+  origin {
+    domain_name              = module.ndr-lloyd-george-store.bucket_regional_domain_name
+    origin_id                = module.ndr-lloyd-george-store.bucket_id
+    origin_access_control_id = aws_cloudfront_origin_access_control.s3.id
+  }
+  enabled         = true
+  is_ipv6_enabled = true
+
+  default_cache_behavior {
+    allowed_methods          = ["HEAD", "GET", "OPTIONS"]
+    cached_methods           = ["HEAD", "GET", "OPTIONS"]
+    target_origin_id         = module.ndr-lloyd-george-store.bucket_id
+    viewer_protocol_policy   = "redirect-to-https"
+    cache_policy_id          = aws_cloudfront_cache_policy.nocache.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer.id
+
+    lambda_function_association {
+      event_type = "origin-request"
+      lambda_arn = module.edge-presign-lambda.qualified_arn
+    }
+  }
+
+  origin {
+    domain_name              = module.ndr-document-pending-review-store.bucket_regional_domain_name
+    origin_id                = module.ndr-document-pending-review-store.bucket_id
+    origin_access_control_id = aws_cloudfront_origin_access_control.s3.id
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["HEAD", "GET", "OPTIONS"]
+    cached_methods           = ["HEAD", "GET", "OPTIONS"]
+    path_pattern             = "/review/*"
+    target_origin_id         = module.ndr-document-pending-review-store.bucket_id
+    viewer_protocol_policy   = "redirect-to-https"
+    cache_policy_id          = aws_cloudfront_cache_policy.nocache.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer.id
+
+    lambda_function_association {
+      event_type = "origin-request"
+      lambda_arn = module.edge-presign-lambda.qualified_arn
+    }
+  }
+
+  origin {
+    domain_name              = module.ndr-bulk-staging-store.bucket_regional_domain_name
+    origin_id                = module.ndr-bulk-staging-store.bucket_id
+    origin_access_control_id = aws_cloudfront_origin_access_control.s3.id
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cached_methods           = ["HEAD", "GET", "OPTIONS"]
+    path_pattern             = "/upload/*"
+    target_origin_id         = module.ndr-bulk-staging-store.bucket_id
+    viewer_protocol_policy   = "redirect-to-https"
+    cache_policy_id          = aws_cloudfront_cache_policy.nocache.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer.id
+
+    lambda_function_association {
+      event_type = "origin-request"
+      lambda_arn = module.edge-presign-lambda.qualified_arn
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "whitelist"
+      locations        = local.allow_us_comms ? ["GB", "US"] : ["GB"]
+    }
+  }
+
+  web_acl_id = try(module.cloudfront_firewall_waf_v2[0].arn, "")
+}
+
+resource "aws_cloudfront_origin_request_policy" "viewer" {
+  name = "${terraform.workspace}_BlockQueriesAndAllowViewer"
+
+  query_strings_config {
+    query_string_behavior = "whitelist"
+    query_strings {
+      items = [
+        "X-Amz-Algorithm",
+        "X-Amz-Credential",
+        "X-Amz-Date",
+        "X-Amz-Expires",
+        "X-Amz-SignedHeaders",
+        "X-Amz-Signature",
+        "X-Amz-Security-Token"
+      ]
+    }
+  }
+
+  headers_config {
+    header_behavior = "whitelist"
+    headers {
+      items = [
+        "Host",
+        "CloudFront-Viewer-Country",
+        "X-Forwarded-For"
+      ]
+    }
+  }
+
+  cookies_config {
+    cookie_behavior = "none"
+  }
+}
+
+resource "aws_cloudfront_cache_policy" "nocache" {
+  name        = "${terraform.workspace}_nocache_policy"
+  default_ttl = 0
+  max_ttl     = 0
+  min_ttl     = 0
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "none"
+    }
+    headers_config {
+      header_behavior = "none"
+    }
+    query_strings_config {
+      query_string_behavior = "none"
+    }
+  }
+}

infrastructure/iam.tf

@@ -142,7 +142,8 @@ data "aws_iam_policy_document" "assume_role_policy_for_get_doc_ref_lambda" {
       type = "AWS"
       identifiers = [
         module.get-doc-fhir-lambda.lambda_execution_role_arn,
-        module.get-doc-ref-lambda.lambda_execution_role_arn
+        module.get-doc-ref-lambda.lambda_execution_role_arn,
+        module.post_document_review_lambda.lambda_execution_role_arn
       ]
     }
   }

infrastructure/lambda-edge-presign.tf

@@ -73,11 +73,34 @@ module "edge-presign-lambda" {
   iam_role_policies = [
     "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
     aws_iam_policy.ssm_access_policy.arn,
-    module.ndr-app-config.app_config_policy_arn
+    module.ndr-app-config.app_config_policy_arn,
+    aws_iam_policy.staging_bucket_put.arn
   ]
   providers = {
     aws = aws.us_east_1
   }
-  bucket_names = [module.ndr-lloyd-george-store.bucket_id, module.ndr-document-pending-review-store.bucket_id]
-  table_name   = module.cloudfront_edge_dynamodb_table.table_name
-}
+  bucket_names = [
+    module.ndr-lloyd-george-store.bucket_id,
+    module.ndr-document-pending-review-store.bucket_id,
+    module.ndr-bulk-staging-store.bucket_id
+  ]
+  table_name = module.cloudfront_edge_dynamodb_table.table_name
+}
+
+resource "aws_iam_policy" "staging_bucket_put" {
+  name = "${terraform.workspace}_staging_bucket_put"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "s3:PutObject"
+        ],
+        Resource = [
+          "${module.ndr-bulk-staging-store.bucket_arn}/*",
+        ]
+      }
+    ]
+  })
+}

infrastructure/lambda-get-doc-ref.tf

@@ -64,11 +64,10 @@ module "get-doc-ref-lambda" {
     WORKSPACE                  = terraform.workspace
     PRESIGNED_ASSUME_ROLE      = aws_iam_role.get_doc_ref_presign_url_role.arn
     EDGE_REFERENCE_TABLE       = module.cloudfront_edge_dynamodb_table.table_name
-    CLOUDFRONT_URL             = module.cloudfront-distribution-lg.cloudfront_url
+    CLOUDFRONT_URL             = aws_cloudfront_distribution.s3_presign_mask.domain_name
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
-    module.cloudfront-distribution-lg,
     module.document_reference_id_gateway
   ]
 }

infrastructure/lambda-get-document-fhir.tf

@@ -60,7 +60,7 @@ module "get-doc-fhir-lambda" {
     LLOYD_GEORGE_DYNAMODB_NAME = module.lloyd_george_reference_dynamodb_table.table_name
     PDM_DYNAMODB_NAME          = module.pdm_dynamodb_table.table_name
     OIDC_CALLBACK_URL          = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback"
-    CLOUDFRONT_URL             = module.cloudfront-distribution-lg.cloudfront_url
+    CLOUDFRONT_URL             = aws_cloudfront_distribution.s3_presign_mask.domain_name
     PDS_FHIR_IS_STUBBED        = local.is_sandbox
   }
   depends_on = [

infrastructure/lambda-get-document-review.tf

@@ -24,14 +24,13 @@ module "get_document_review_lambda" {
     APPCONFIG_CONFIGURATION       = module.ndr-app-config.app_config_configuration_profile_id
     DOCUMENT_REVIEW_DYNAMODB_NAME = module.document_upload_review_dynamodb_table.table_name
     EDGE_REFERENCE_TABLE          = module.cloudfront_edge_dynamodb_table.table_name
-    CLOUDFRONT_URL                = module.cloudfront-distribution-lg.cloudfront_url
+    CLOUDFRONT_URL                = aws_cloudfront_distribution.s3_presign_mask.domain_name
     PRESIGNED_ASSUME_ROLE         = aws_iam_role.get_document_review_presign.arn
     WORKSPACE                     = terraform.workspace
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.review_document_version_gateway,
-    module.cloudfront-distribution-lg
   ]
 }
 

infrastructure/lambda-lloyd-george-record-stitch.tf

@@ -78,7 +78,7 @@ module "lloyd-george-stitch-lambda" {
     LLOYD_GEORGE_BUCKET_NAME      = "${terraform.workspace}-${var.lloyd_george_bucket_name}"
     LLOYD_GEORGE_DYNAMODB_NAME    = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
     STITCH_METADATA_DYNAMODB_NAME = "${terraform.workspace}_${var.stitch_metadata_dynamodb_table_name}"
-    CLOUDFRONT_URL                = module.cloudfront-distribution-lg.cloudfront_url
+    CLOUDFRONT_URL                = aws_cloudfront_distribution.s3_presign_mask.domain_name
     WORKSPACE                     = terraform.workspace
     PRESIGNED_ASSUME_ROLE         = aws_iam_role.stitch_presign_url_role.arn
     EDGE_REFERENCE_TABLE          = module.cloudfront_edge_dynamodb_table.table_name
@@ -88,7 +88,6 @@ module "lloyd-george-stitch-lambda" {
     module.ndr-lloyd-george-store,
     module.lloyd-george-stitch-gateway,
     module.ndr-app-config,
-    module.cloudfront-distribution-lg,
     module.stitch_metadata_reference_dynamodb_table,
     module.lloyd_george_reference_dynamodb_table
   ]

infrastructure/lambda-post-document-review.tf

@@ -27,6 +27,7 @@ module "post_document_review_lambda" {
     WORKSPACE                     = terraform.workspace
     STAGING_STORE_BUCKET_NAME     = module.ndr-bulk-staging-store.bucket_id
     EDGE_REFERENCE_TABLE          = module.cloudfront_edge_dynamodb_table.table_name
+    CLOUDFRONT_URL                = aws_cloudfront_distribution.s3_presign_mask.domain_name
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,